The Department of Health and Human Services’ Office of Inspector General (OIG) has conducted security audits at two managed care organizations (MCOs) in Arizona and discovered a slew of security vulnerabilities in information systems that could potentially be exploited to gain access to Medicaid claims data and placed system integrity at risk.

OIG performed the audits to find out if the Arizona MCOs had implemented sufficient security controls on information systems and if they were complying with the requirements of the Health Insurance Portability and Accountability Act (HIPAA). OIG found 19 security flaws – 5 in access controls and 14 in configuration management – covering 9 security control areas. Vulnerabilities were identified in access controls, administrative controls, antivirus management, patch management, database management, website security, server management and the configuration of network devices. OIG did not discover any evidence to suggest vulnerabilities had been exploited but the compliance failures were individually, and collectively significant.

Two examples of vulnerabilities in access controls were the failure to deactivate the user accounts of terminated personnel promptly and the lack of multi-factor authentication for remote network access.

Examples of vulnerabilities in configuration management include the misconfiguration of firewall Secure Shell (SSH) session timeouts. Although the standard timeout was 5 minutes, it was changed to 30 minutes in one MCO. That length of time would permit an attacker to access the system through an authenticated administrator account that was not terminated.

The MCOs did not implement patches on workstations quickly placing systems at risk. The delay in applying patches allowed the threat actors behind WannaCry to cripple the UK’s National Health Service (NHS) computer systems in May 2017.

One of the MCOs did not update their antivirus software automatically. Around half of its servers had AV software with out of date virus definitions. One MCO still used unsupported software on three production servers and the claims processing database was not encrypted.

The auditors discovered 10 of the 19 vulnerabilities in three security control areas were present at both MCOs. Finding identical security vulnerabilities at the two MCO’s suggests other MCOs throughout the United States could have similar undressed vulnerabilities.

OIG also noted there are different federal regulations covering Medicaid data security depending on who retains the data. The differences in security requirements for state agencies and MCOs could possibly impact state-MCO relationships across the country, increasing the risk of exposure of Medicaid information.

OIG proposed that CMS should perform a documented risk analysis to find out how different Federal security requirements creates cybersecurity risks for Medicaid information and recommended that CMS should determine actions that should be taken to correct any security gaps.

OIG also advised the CMS to alert all state agencies about the results of the audits to improve understanding of the vulnerabilities to enhance awareness of cybersecurity risks nationally.

The CMS didn’t agree with the OIG recommendation to perform a documented risk evaluation because it is already required by the HHS Office for Civil Rights and will only duplicate existing risk evaluation efforts.

OIG remarked that because the issue is about the Medicaid program and the disparate application of Federal security requirements is not OCR’s responsibility, and that the CMS is most suited to the job of ensuring security prerequisites are persistently applied to secure Medicaid information, irrespective of who retains the data. The CMS did agree with the recommendation to inform state agencies about cybersecurity vulnerabilities discovered during the audits.